Link to home
Start Free TrialLog in
Avatar of jpfulton
jpfulton

asked on

RegCleanPro, Delta-Search, BitGuard -- Tried to remove... no luck

Hi. Working on a computer for a friend. I'm not sure if it's really full on virus/trojan/malware or if it's just really difficult to remove. All I've done so far is run HitmanPro twice. It found a lot of stuff and removed it the first time. About 9 entries were trojans/riskware/etc. The second time I ran it, it found only one virus (BitGuard.dll). The computer is UNBELIEVABLY slow and it shouldn't be based on it's specs. I used it a few months ago and it's performance was normal. Here's my DDS log to get started. Please let me know what's next. THANK YOU!!

DDS (Ver_2012-11-20.01) - NTFS_AMD64 NETWORK
Internet Explorer: 10.0.9200.16686  BrowserJavaVersion: 10.25.2
Run by Owner at 14:25:53 on 2013-09-19
Microsoft Windows 7 Professional   6.1.7601.1.1252.1.1033.18.3932.3305 [GMT -4:00]
.
AV: Microsoft Security Essentials Prerelease *Enabled/Updated* {641105E6-77ED-3F35-A304-765193BCB75F}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials Prerelease *Enabled/Updated* {DF70E402-51D7-30BB-99B4-4D23E83BFDE2}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\Explorer.EXE
C:\Windows\system32\ctfmon.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
C:\Windows\system32\systempropertiesremote.exe
C:\Windows\system32\taskmgr.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://google.com/
uURLSearchHooks: UrlSearchHook Class: {00000000-6E41-4FD3-8538-502F5495E5FC} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
mWinlogon: Userinit = userinit.exe
BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO: TidyNetwork.com: {7736C7FA-512D-11E2-B871-DEC36088709B} - C:\Users\Owner\AppData\Local\TidyNetwork.com\tidy2ie.dll
BHO: Define: {B78F92C8-DEB3-11E2-9A0A-FB64281D6ADE} - C:\Users\Owner\AppData\Local\DefineExt\temp.dat
BHO: Ask Toolbar: {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
TB: Ask Toolbar: {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
TB: Delta Toolbar: {82E1477C-B154-48D3-9891-33D83C26BCD3} - C:\Program Files (x86)\Delta\delta\1.8.24.6\deltaTlbr.dll
mRun: [SoundMAXPnP] C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe
mRun: [Intuit SyncManager] C:\Program Files (x86)\Common Files\Intuit\Sync\IntuitSyncManager.exe  startup
mRun: [HP Software Update] C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\QUICKB~1.LNK - C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:0
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableLUA = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: PromptOnSecureDesktop = dword:0
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: NameServer = 10.0.0.2
TCP: Interfaces\{F1AAC217-E342-4BCD-B559-3BFB63A2AAEC} : DHCPNameServer = 10.0.0.2
Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - C:\Program Files (x86)\Intuit\QuickBooks 2009\HelpAsyncPluggableProtocol.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} -
AppInit_DLLs= c:\progra~3\bitguard\261673~1.238\{c16c1~1\bitguard.dll
SSODL: WebCheck - <orphaned>
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\29.0.1547.66\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
x64-Run: [picon] "C:\Program Files (x86)\Common Files\Intel\Privacy Icon\PIconStartup.exe" -startup
x64-Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
x64-Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - <orphaned>
x64-Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - <orphaned>
x64-SSODL: WebCheck - <orphaned>
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\ditm8wqa.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3309350&CUI=UN24822878988143265&UM=2&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine -
FF - prefs.js: browser.startup.homepage - hxxp://www2.delta-search.com/?babsrc=HP_ss&mntrId=C02C0024E820B956&affID=122786&tt=110913_221&tsp=5002
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3309350&SearchSource=2&CUI=UN24822878988143265&UM=2&q=
FF - plugin: C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.153\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_8_800_168.dll
FF - plugin: C:\Windows\SysWOW64\npDeployJava1.dll
FF - plugin: C:\Windows\SysWOW64\npmproxy.dll
FF - ExtSQL: 2013-09-03 00:00; umylsm@sqhjcpzmeselzlp.org; C:\Users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\ditm8wqa.default\extensions\umylsm@sqhjcpzmeselzlp.org
FF - ExtSQL: 2013-09-03 15:51; tidynetwork@tidynetwork; C:\Users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\ditm8wqa.default\extensions\tidynetwork@tidynetwork
FF - ExtSQL: 2013-09-03 15:52; {650598e1-b35a-45d3-b607-896d7acb64c3}; C:\Users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\ditm8wqa.default\extensions\{650598e1-b35a-45d3-b607-896d7acb64c3}
FF - ExtSQL: 2013-09-11 15:49; ffxtlbr@delta.com; C:\Users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\ditm8wqa.default\extensions\ffxtlbr@delta.com
.
---- FIREFOX POLICIES ----
FF - user.js: extensions.delta.tlbrSrchUrl -
FF - user.js: extensions.delta.id - c02c4b1b0000000000000024e820b956
FF - user.js: extensions.delta.appId - {C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3}
FF - user.js: extensions.delta.instlDay - 15959
FF - user.js: extensions.delta.vrsn - 1.8.24.6
FF - user.js: extensions.delta.vrsni - 1.8.24.6
FF - user.js: extensions.delta.vrsnTs - 1.8.24.615:49:40
FF - user.js: extensions.delta.prtnrId - delta
FF - user.js: extensions.delta.prdct - delta
FF - user.js: extensions.delta.aflt - babsst
FF - user.js: extensions.delta.smplGrp - none
FF - user.js: extensions.delta.tlbrId - base
FF - user.js: extensions.delta.instlRef - sst
FF - user.js: extensions.delta.dfltLng - en
FF - user.js: extensions.delta.excTlbr - false
FF - user.js: extensions.delta.ffxUnstlRst - true
FF - user.js: extensions.delta.admin - false
FF - user.js: extensions.delta_i.babTrack - affID=122786&tt=110913_221&tsp=5002
FF - user.js: extensions.delta_i.babExt -
FF - user.js: extensions.delta_i.srcExt - ss
FF - user.js: extensions.delta.autoRvrt - false
FF - user.js: extensions.delta.rvrt - false
FF - user.js: extensions.delta.newTab - false
.
============= SERVICES / DRIVERS ===============
.
R3 e1kexpress;Intel(R) PRO/1000 PCI Express Network Connection Driver K;C:\Windows\System32\drivers\e1k60x64.sys [2009-6-10 220672]
R3 HECIx64;Intel(R) Management Engine Interface;C:\Windows\System32\drivers\HECIx64.sys [2012-9-17 56344]
S0 MpFilter;Microsoft Malware Protection Driver;C:\Windows\System32\drivers\MpFilter.sys [2013-8-28 250352]
S2 NisDrv;Microsoft Network Inspection System;C:\Windows\System32\drivers\NisDrvWFP.sys [2013-1-20 139616]
S3 dmvsc;dmvsc;C:\Windows\System32\drivers\dmvsc.sys [2010-11-21 71168]
S3 hitmanpro37;HitmanPro 3.7 Support Driver;C:\Windows\System32\drivers\hitmanpro37.sys [2013-9-19 32512]
S3 MBAMProtector;MBAMProtector;C:\Windows\System32\drivers\mbam.sys [2013-9-18 25928]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2010-11-20 59392]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2010-11-20 31232]
.
=============== Created Last 30 ================
.
2013-09-19 17:50:24      32512      ----a-w-      C:\Windows\System32\drivers\hitmanpro37.sys
2013-09-18 22:35:44      --------      d-----w-      C:\Users\Owner\AppData\Roaming\Malwarebytes
2013-09-18 22:35:16      --------      d-----w-      C:\ProgramData\Malwarebytes
2013-09-18 22:35:08      25928      ----a-w-      C:\Windows\System32\drivers\mbam.sys
2013-09-18 22:35:07      --------      d-----w-      C:\Program Files (x86)\Malwarebytes' Anti-Malware
2013-09-18 22:34:50      --------      d-----w-      C:\Users\Owner\AppData\Local\Programs
2013-09-18 22:32:09      --------      d-----w-      C:\Windows\pss
2013-09-18 21:21:17      --------      d-----w-      C:\ProgramData\HitmanPro
2013-09-18 17:18:50      9694160      ----a-w-      C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{C4E423AC-3C49-438E-99E9-306C76CB2E91}\mpengine.dll
2013-09-16 17:22:12      9694160      ----a-w-      C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2013-09-14 23:34:24      --------      d-----w-      C:\ProgramData\BitGuard
2013-09-12 15:50:48      155584      ----a-w-      C:\Windows\System32\drivers\ataport.sys
2013-09-12 15:47:19      --------      d-----w-      C:\Users\Owner\AppData\Local\avgchrome
2013-09-12 15:38:12      --------      d-----w-      C:\ProgramData\Systweak
2013-09-12 15:38:09      16896      ----a-w-      C:\Windows\System32\sasnative64.exe
2013-09-12 15:38:09      --------      d-----w-      C:\Program Files (x86)\Advanced System Protector
2013-09-11 19:49:40      --------      d-----w-      C:\Users\Owner\AppData\Roaming\Systweak
2013-09-11 19:49:38      --------      d-----w-      C:\Program Files (x86)\Delta
2013-09-11 19:49:37      19368      ----a-w-      C:\Windows\System32\roboot64.exe
2013-09-11 19:49:33      --------      d-----w-      C:\Users\Owner\AppData\Roaming\Delta
2013-09-11 19:49:29      --------      d-----w-      C:\Program Files (x86)\RegClean Pro
2013-09-11 19:49:02      --------      d-----w-      C:\Users\Owner\AppData\Roaming\BabSolution
2013-09-11 19:49:02      --------      d-----w-      C:\ProgramData\DSearchLink
2013-09-11 19:48:46      --------      d-----w-      C:\ProgramData\Babylon
2013-09-07 18:13:45      965008      ------w-      C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{7DF6B888-BCA6-4906-B175-20A332AF1717}\gapaengine.dll
2013-09-03 19:52:11      --------      d-----w-      C:\Users\Owner\AppData\Local\WeatherBug
2013-09-03 19:52:10      --------      d-----w-      C:\Users\Owner\AppData\Roaming\WeatherBug
2013-09-03 19:52:08      --------      d-----w-      C:\Program Files (x86)\AWS
2013-09-03 19:51:25      --------      d-----w-      C:\Users\Owner\AppData\Local\DefineExt
2013-09-03 19:51:17      --------      d-----w-      C:\Users\Owner\AppData\Local\TidyNetwork.com
2013-08-28 20:35:00      250352      ----a-w-      C:\Windows\System32\drivers\MpFilter.sys
.
==================== Find3M  ====================
.
2013-09-19 17:43:33      71048      ----a-w-      C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2013-09-19 17:43:33      692616      ----a-w-      C:\Windows\SysWow64\FlashPlayerApp.exe
2013-08-28 20:35:02      139616      ----a-w-      C:\Windows\System32\drivers\NisDrvWFP.sys
2013-08-10 05:22:18      2241024      ----a-w-      C:\Windows\System32\wininet.dll
2013-08-10 05:20:59      3959296      ----a-w-      C:\Windows\System32\jscript9.dll
2013-08-10 05:20:55      67072      ----a-w-      C:\Windows\System32\iesetup.dll
2013-08-10 05:20:55      136704      ----a-w-      C:\Windows\System32\iesysprep.dll
2013-08-10 03:59:10      1767936      ----a-w-      C:\Windows\SysWow64\wininet.dll
2013-08-10 03:58:09      2876928      ----a-w-      C:\Windows\SysWow64\jscript9.dll
2013-08-10 03:58:06      61440      ----a-w-      C:\Windows\SysWow64\iesetup.dll
2013-08-10 03:58:06      109056      ----a-w-      C:\Windows\SysWow64\iesysprep.dll
2013-08-10 03:17:38      2706432      ----a-w-      C:\Windows\System32\mshtml.tlb
2013-08-10 03:07:50      2706432      ----a-w-      C:\Windows\SysWow64\mshtml.tlb
2013-08-10 02:27:59      89600      ----a-w-      C:\Windows\System32\RegisterIEPKEYs.exe
2013-08-10 02:17:19      71680      ----a-w-      C:\Windows\SysWow64\RegisterIEPKEYs.exe
2013-08-08 01:20:43      3155456      ----a-w-      C:\Windows\System32\win32k.sys
2013-08-02 02:23:53      5550528      ----a-w-      C:\Windows\System32\ntoskrnl.exe
2013-08-02 02:15:44      1732032      ----a-w-      C:\Windows\System32\ntdll.dll
2013-08-02 02:15:03      362496      ----a-w-      C:\Windows\System32\wow64win.dll
2013-08-02 02:15:03      243712      ----a-w-      C:\Windows\System32\wow64.dll
2013-08-02 02:15:03      13312      ----a-w-      C:\Windows\System32\wow64cpu.dll
2013-08-02 02:14:57      215040      ----a-w-      C:\Windows\System32\winsrv.dll
2013-08-02 02:14:11      16384      ----a-w-      C:\Windows\System32\ntvdm64.dll
2013-08-02 02:13:34      424448      ----a-w-      C:\Windows\System32\KernelBase.dll
2013-08-02 01:59:30      3968960      ----a-w-      C:\Windows\SysWow64\ntkrnlpa.exe
2013-08-02 01:59:30      3913664      ----a-w-      C:\Windows\SysWow64\ntoskrnl.exe
2013-08-02 01:51:23      1292192      ----a-w-      C:\Windows\SysWow64\ntdll.dll
2013-08-02 01:50:42      5120      ----a-w-      C:\Windows\SysWow64\wow32.dll
2013-08-02 01:50:42      274944      ----a-w-      C:\Windows\SysWow64\KernelBase.dll
2013-08-02 01:09:17      338432      ----a-w-      C:\Windows\System32\conhost.exe
2013-08-02 00:59:09      112640      ----a-w-      C:\Windows\System32\smss.exe
2013-08-02 00:45:37      25600      ----a-w-      C:\Windows\SysWow64\setup16.exe
2013-08-02 00:45:36      14336      ----a-w-      C:\Windows\SysWow64\ntvdm64.dll
2013-08-02 00:45:35      7680      ----a-w-      C:\Windows\SysWow64\instnm.exe
2013-08-02 00:45:34      2048      ----a-w-      C:\Windows\SysWow64\user.exe
2013-08-02 00:43:05      6144      ---ha-w-      C:\Windows\SysWow64\api-ms-win-security-base-l1-1-0.dll
2013-08-02 00:43:05      4608      ---ha-w-      C:\Windows\SysWow64\api-ms-win-core-threadpool-l1-1-0.dll
2013-08-02 00:43:05      3584      ---ha-w-      C:\Windows\SysWow64\api-ms-win-core-xstate-l1-1-0.dll
2013-08-02 00:43:05      3072      ---ha-w-      C:\Windows\SysWow64\api-ms-win-core-util-l1-1-0.dll
2013-07-29 16:39:40      96168      ----a-w-      C:\Windows\SysWow64\WindowsAccessBridge-32.dll
2013-07-29 16:39:37      867240      ----a-w-      C:\Windows\SysWow64\npDeployJava1.dll
2013-07-29 16:39:37      789416      ----a-w-      C:\Windows\SysWow64\deployJava1.dll
2013-07-25 09:25:54      1888768      ----a-w-      C:\Windows\System32\WMVDECOD.DLL
2013-07-25 08:57:27      1620992      ----a-w-      C:\Windows\SysWow64\WMVDECOD.DLL
2013-07-19 01:58:42      2048      ----a-w-      C:\Windows\System32\tzres.dll
2013-07-19 01:41:01      2048      ----a-w-      C:\Windows\SysWow64\tzres.dll
2013-07-09 05:52:52      224256      ----a-w-      C:\Windows\System32\wintrust.dll
2013-07-09 05:51:16      1217024      ----a-w-      C:\Windows\System32\rpcrt4.dll
2013-07-09 05:46:20      184320      ----a-w-      C:\Windows\System32\cryptsvc.dll
2013-07-09 05:46:20      1472512      ----a-w-      C:\Windows\System32\crypt32.dll
2013-07-09 05:46:20      139776      ----a-w-      C:\Windows\System32\cryptnet.dll
2013-07-09 04:52:33      663552      ----a-w-      C:\Windows\SysWow64\rpcrt4.dll
2013-07-09 04:52:10      175104      ----a-w-      C:\Windows\SysWow64\wintrust.dll
2013-07-09 04:46:31      140288      ----a-w-      C:\Windows\SysWow64\cryptsvc.dll
2013-07-09 04:46:31      1166848      ----a-w-      C:\Windows\SysWow64\crypt32.dll
2013-07-09 04:46:31      103936      ----a-w-      C:\Windows\SysWow64\cryptnet.dll
2013-07-06 06:03:53      1910208      ----a-w-      C:\Windows\System32\drivers\tcpip.sys
.
============= FINISH: 14:32:42.10 ===============
attach.zip
ASKER CERTIFIED SOLUTION
Avatar of Nick Rhode
Nick Rhode
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Avatar of Sudeep Sharma
Sudeep Sharma
Flag of India image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of jpfulton
jpfulton

ASKER

Awarding points to both because I used the tools mentioned in both posts. Computer appears to be squeeky clean now and performance is 100% back.
Avatar of Sudeep Sharma
Sudeep Sharma
Flag of India image
Just make sure that shortcuts of browsers doesn't have the links to any of these.

Sudeep
Avatar of jpfulton
jpfulton

ASKER

Thank you for the tip. I'll check for that in a little bit.